Meta’s VR headsets are vulnerable to a security flaw that could trap users in a malicious virtual reality simulation. This attack could lead to the leakage of personal data and the theft of funds from victims’ bank accounts…
How can this happen?
Researchers at the University of Chicago have identified a security flaw in Meta’s VR headsets. This vulnerability opens the door to an attack dubbed « inception », named after the concept of implanting ideas in a person’s mind without their knowledge, inspired by Christopher Nolan’s film. According to a study published by MIT Technology Review, this flaw could easily trap users in an unprecedented virtual reality trap.
Duplicated interface
To orchestrate the attack, the researchers connected to the Wi-Fi network of the target VR headsets and launched a malicious application on Meta Quest, designed to mimic the headset’s interface and deceive the user. This application clones interface elements, such as the home screen and applications, making the user believe they are navigating the Quest operating system normally when they are actually trapped in the malicious application.
Once the victim is trapped in this false reality, all their interactions can be intercepted or modified without their consent. The hacker can thus access everything the user sees or hears. This level of access makes it possible to steal sensitive data such as passwords, spy on conversations via a cloned version of VRChat, or even trick the user into making fraudulent bank transfers. Attackers could also use deepfakes to impersonate relatives and request emergency transfers, enabling easy access to banking information.
Virtual reality: an increasingly vulnerable target?
To prove that cyberattack was possible, American researchers carried out a simulation on 27 users of virtual reality headsets. Less than half of the participants (37%) realized that they were being attacked.
However, the study points out that for the attack to be possible, the developer mode must be activated on the headset. This mode is essential, as it authorizes the downloading of third-party applications, a necessary condition for carrying out the attack. As a result, the majority of Quest users are not exposed to this risk.
The good news?
La faille découverte dans les casques n’a pas encore été exploitée par des cybercriminels. Dans une déclaration au MIT Technology Review, Meta a indiqué qu’elle examinerait la vulnérabilité en question. La société de Mark Zuckerberg a également souligné son engagement continu à collaborer avec des chercheurs universitaires dans le cadre de son programme de récompense pour la découverte de bugs et d’autres initiatives.
Sources :
Security Flaw Uncovered in Meta’s VR Headsets
Meta Quest : une faille permet de vous piéger dans une simulation malveillante
Image mise en avant générée par l’IA